Endpoint Compliance

Stanford's data needs protection wherever it goes. University computing equipment and other endpoint devices used for sensitive Stanford business — including computers, smartphones, and tablets — must be configured to provide that protection.

Endpoint Compliance Rules

All devices must have operating systems that are supported by the vendor with security updates. In particular, systems running Windows XP must be upgraded to a newer OS, as Microsoft discontinued support in April 2014. (Although Microsoft has extended support for its anti-malware signatures for an additional 15 months, the core Windows XP operating system will not receive security updates.) This requirement is suspended for devices that manage scientific instruments
or run unique software applications that cannot be easily upgraded.

All endpoints that store, process or transmit Prohibited or Restricted Data — including Protected Health Information (PHI) — must be managed and encrypted.

These are minimum requirements for all of Stanford. Any additional requirements of individual departments or organizations still apply.

Do I have to comply?

All University employees must comply with these requirements. They apply to all University-owned laptops, desktops, smartphones and tablets ("devices"), personally-owned devices used on the Stanford Network, and personally-owned devices that could be used to access Protected Health Information (PHI) or other Restricted or Prohibited Data.

Support for backup, management, and encryption of endpoints is available to all Stanford affiliates, so you can take advantage of it even if your role or device does not require it.

How do I comply?

CrashPlan, a managed file backup service for all laptops and desktops, is available to your department from IT Services.

If your laptop or desktop has SWDE installed for encryption, then it is already managed by BigFix. Unencrypted laptops and desktops can become managed by installing BigFix alone, but as they will all require encryption eventually it is better to install SWDE wherever possible.

Identity Finder scans will be performed only after specific consent by the individual whose files are being scanned.

Consult your department's IT support for any additional requirements. For example, in the School of Medicine see the school's Data Security web site.

When do I have to comply?

All new endpoint devices purchased by Stanford must be configured for encryption before they are used. Endpoints that are already in use must be brought into compliance by the dates indicated in the chart below.

Endpoint Compliance Deadlines

Mandate

Compliance Deadline

File Backup for Laptops/Desktops

Recommended Prior to Encryption

Encryption - New Laptops/Desktops

Today

MDM - Mobile Devices that Store/Access PHI

February 28, 2014

SWDE - Laptops/Desktops that Store/Access PHI

February 28, 2014

Windows XP Migration - Laptops/Desktops that do not control scientific instruments

April 8, 2014

BigFix Installation - Laptops/Desktops that Store/Access PHI or other Prohibited or Restricted Data

May 28, 2014

SWDE - Laptops/Desktops with >500 Identity Finder hits

July 31, 2014

SWDE - Laptops/Desktops with >10 Identity Finder hits

November 30, 2014

Encryption - Laptops/Desktops that do not control scientific instruments

May 31, 2015

Compliance Exceptions

Endpoints that are critical to Stanford business but that cannot comply with these rules (such as dedicated instrument systems) must follow a formal exception process, and suitable compensating controls should be implemented.

Blackberry mobile devices, Windows Phones, and Linux systems
are currently not supported by MDM or SWDE, and so are temporarily
exempt from the management and encryption mandates until SWDE
and MDM are available for these platforms. Until they are
available, these devices should not be used to store, process
or transmit PHI or other Prohibited or Restricted Data without
a formal exception.